The guidelines create new obligations for financial, payment, and electronic money institutions that will impact cloud outsourcing and deployment of FinTech.

By Fiona M. Maclean and Laura Holden

On 25 February 2019, the European Banking Authority (EBA) published a final report on its draft guidelines on outsourcing arrangements (Guidelines). The report followed the EBA’s publication of draft guidelines in June 2018 (Draft Guidelines) and the ensuing public consultation in September 2018 (Public Consultation).

The Guidelines replace the 2006 Committee of European Banking Supervisors (CEBS) Guidelines on Outsourcing (CEBS Guidelines) and replace and incorporate the EBA’s final recommendations on outsourcing to cloud service providers (Cloud Recommendations). Financial institutions will now only need to consult one set of guidelines for cloud and non-cloud outsourcing.

The Guidelines apply to a wider range of entities (Covered Entities for the purpose of this article) than the CEBS Guidelines and the Cloud Recommendations, including payment or electronic money institutions. The Guidelines now apply to all financial institutions that are:

  • Within the scope of the EBA’s mandate, including credit institutions
  • Investment firms subject to Directive (EU) 2013/36 IV (Capital Requirements Directive)
  • Payment institutions
  • Electronic money institutions

As a result, a wider range of companies, such as FinTech companies, will now face the challenge of remaining agile and competitive in fast-moving markets, whilst managing the administrative and practical challenges of maintaining compliance with the Guidelines.

The Guidelines come into force on 30 September 2019. Any outsourcing arrangements entered into, reviewed, or amended by Covered Entities after that date must comply with the Guidelines. Covered Entities must also update all existing outsourcing arrangements in line with the Guidelines by 31 December 2021. For Covered Entities that are already subject to the Cloud Recommendations, these deadlines will not have any effect on their obligation to comply with the cloud specific requirements – these requirements will continue to apply as they did prior to publication of the Guidelines. An overview of the status of the Cloud Recommendations, per jurisdiction, can be found here.

While “critical and important functions” are subjected to stricter rules, the Guidelines generally apply to all outsourcings by Covered Entities, including intragroup outsourcings, representing a further widening of scope when compared with the CEBS Guidelines. Covered Entities will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition. Following concerns raised at the Public Consultation, the EBA clarified in the Guidelines that regulators will not consider every outsourcing to a cloud solution as critical or important; rather the same test applies as with other non-cloud service providers, taking into account “cloud specificities”.

Under the Guidelines, the definition of “outsourcing” is based on the Commission Delegated Regulation (EU) 2017/565 and defined as: “an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself”.

The Guidelines define “critical or important functions” based on the wording of MiFID II and the Commission Delegated Regulation (EU) 2017/565, which includes functions that “if a defect or failure were to occur, would materially impair the continuing compliance of the firm’s activities and obligations”.

To outsource banking and payment services to a third country (i.e., non-EU) service provider, the Guidelines require the competent authorities responsible for supervising each party to have a co-operation agreement in place. Therefore, post-Brexit, the UK’s Financial Conduct Authority will need to agree a co-operation agreement with EU regulators to ensure that cross-border outsourced arrangements can continue between the UK and the EU27.

Key Consideration for Covered Entities

Balancing Innovation and Compliance

The EBA have approached these Guidelines with the new generation of outsourcing in mind. The Guidelines emphasise the reliance of financial services institutions on new technologies, and the EBA’s express reference to FinTech and Cloud is a nod to the direction of travel that they anticipate for outsourcing in the future. Notably, the EBA rejected requests from respondents to the Public Consultation to delete “FinTech” from the Guidelines and/or to offer payment and electronic money providers additional concessions to comply with the Guidelines’ terms, e.g., requests that new entrants to the market are granted a two-year grace period before the Guidelines apply.

FinTech providers that now find themselves subject to the Guidelines (and, by reference, the EBA’s guidelines on internal governance under Directive 2013/36/EU), may find complying with the Guidelines challenging and a drain on resources — particularly the robust governance processes and internal documentation requirements. Furthermore, entities seeking to use FinTech providers may face a challenge in balancing the desire to be innovative and to use new and upcoming products with satisfying the due diligence obligations under the Guidelines that require Covered Entities to account for the service provider’s business reputation, abilities, expertise, capacity, resources, and organisational structure. On balance, such requirements invariably favour established service providers over emerging FinTech actors.

Managing Internal Governance

Covered Entities will also have to consider the Guidelines’ far-reaching requirements in respect of governing framework, intragroup structure, approach to risk assessment, and due diligence, as well as the content of outsourcing contracts.

Specifically, the Guidelines require Covered Entities to implement a written Outsourcing Policy defining the principles, responsibilities, and processes relevant to each phase of the outsourcing lifecycle. Many Covered Entities may need to formalise existing processes that are not clearly documented in a single policy. As well as documenting the internal risk management processes in place within the organisation, the Guidelines state that the policy should also define the procedures for, among others:

  • Notification of and response to changes from a service provider under an agreement
  • Renewal processes
  • Ongoing monitoring and assessment of the service provider’s performance

Accordingly, as these processes underpin how the Covered Entity engages with the service provider, the procedures documented in the policy will ultimately need to be flowed through to the relevant contracts in place. This step could lead to a considerable change in how Covered Entities approach negotiations, as they will be forced to require consistency across all outsourcing contracts on these specific procedures so as to align with their outsourcing policy. Covered Entities may therefore want to consider preparing rider governance schedules that are incorporated into all outsourcing contracts (whether on supplier paper or their own) to ensure that these processes are consistently documented across all contracts in accordance with the outsourcing policy.

Another significant new obligation on Covered Entities under the Guidelines is the need to maintain an updated register of information on all outsourcing arrangements including, “taking into account national law…documentation of ended outsourcing arrangements…for an appropriate period”. This maintenance may prove to be a significant task for Covered Entities, who most likely do not have such a record in place today — at least not to the granular level the Guidelines require. Covered Entities should consider whether they can leverage work undertaken as part of their GDPR compliance programme, whereby third-party vendors will have been identified and various details documented as part of the GDPR Record of Processing, when preparing this register. The Guidelines are not prescriptive as to the format of the register nor do they provide any specific requirements regarding periodic maintenance of the register. However, as Covered Entities may be required to produce the register upon demand, a live update of the register is recommended instead of a monthly/quarterly update. Covered Entities should include specific reference to the process for completing and updating the register in the outsourcing policy.

Intragroup Arrangements

The Public Consultation focused particularly on the applicability of the Guidelines to intragroup arrangements and concern that the Guidelines would hinder intra-group outsourcing. The EBA responded, noting that “institutions and members of the management body are responsible for ensuring robust governance arrangements and managing all risks…[t]he responsibility cannot be delegated”. Each individual institution therefore must be cognizant of their own responsibilities, notwithstanding a centralised, consolidated group arrangement or policy. For Covered Entities that have historically placed this onus on a centralised procurement function or service entity, this awareness of responsibility may require internal review.

Intragroup outsourcing arrangements inevitably will be viewed with less rigour than third-party outsourcing and, as with many aspects of compliance with these Guidelines, proportionality will be key.

In preparation for Brexit, many firms have recently been revisiting and/or entering into new intragroup arrangements. Covered Entities that outsource important or critical functions intra-group must be able to demonstrate to regulators that they selected the group entity based on objective reasons, that the conditions of the outsourcing arrangement are set at arm’s length, and that the conditions deal explicitly with any conflicts of interest the outsourcing arrangement may pose. Covered Entities must also be cognizant of the fact that an outsourcing must not lead to a situation in which a financial institution becomes an empty shell that lacks the substance to remain authorised. To counter this outcome, entities must retain sufficient resources and a robust operational and governance framework to effectively carry out their own management and oversight responsibilities. Increased costs of such compliance will need to be factored into business cases when considering the merits of an outsourcing.

Concentration Risk

The Guidelines also seek to manage the concentration risk (both intra-firm and sector concentration) that can arise from Covered Entities’ outsourcing arrangements. Sector concentration occurs if multiple Covered Entities rely on a small number of service providers, and is considered especially relevant by the EBA in the context of IT outsourcing. Competent authorities will use the outsourcing registers (described above) maintained by Covered Entities to manage this risk and track sector concentration. If concerns are identified, then “competent authorities should take appropriate actions, which may include limiting or restricting the scope of the outsourced functions or requiring exit from one or more outsourcing arrangements”.

While there is little, in practical terms, that Covered Entities can do to manage this risk (seeing as they, unlike the competent authorities, will not have visibility of their peers’ outsourcing arrangements), Covered Entities nevertheless should be aware of this risk when entering into major IT outsourcing arrangements. In particular, the Guidelines name cloud service providers as posing a particular concentration risk and, indeed, list certain “monopolist” providers. Covered Entities should consider the potential for concentration risk in their supplier down-selection processes (particularly if monopolists are involved) and, if appropriate, engage with their national regulators at an early stage of outsourcing. It will be interesting to see how the market develops with respect to the level of information, if any, that Covered Entities can receive from service providers regarding their engagement with other Covered Entities, and any contractual protections that may result.

This post was prepared with the assistance of Oscar Bjartell in the London office of Latham & Watkins.